### Critical Vulnerability Information #### Vulnerability Title - **Test remote endpoint is not rate limited** #### Severity - **Level**: Moderate - **CVSS v3 Base Metrics**: - Attack Vector: Adjacent - Attack Complexity: Low - Required Privileges: None - User Interaction: None - Scope: Unchanged - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low #### Affected Versions - **Nextcloud Server**: - Affected Versions: 28.0.13, 29.0.10, 30.0.3 - Fixed Versions: >= 28.0.0, >= 29.0.0, >= 30.0.0 - **Nextcloud Enterprise Server**: - Affected Versions: 28.0.13, 29.0.10, 30.0.3 - Fixed Versions: >= 28.0.0, >= 29.0.0, >= 30.0.0 #### Description and Impact - **Description**: A now-unused endpoint used for verifying share recipients was not properly protected, allowing proxy requests to another server. This endpoint has been removed. - **CVE ID**: CVE-2025-47791 - **Weakness**: CWE-918 #### Remediation Recommendations - **Patch**: It is recommended to upgrade Nextcloud Server to version 28.0.13, 29.0.10, or 30.0.3. It is also recommended to upgrade Nextcloud Enterprise Server to version 28.0.13, 29.0.10, or 30.0.3. #### Additional Information - **Workarounds**: No workarounds are available. - **References**: [PullRequest](#) - **More Information**: - Post on [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories). - Customers can open a support ticket at [portal.nextcloud.com](https://portal.nextcloud.com).